Hackers Could Cause ‘Fake Earthquakes’ by Exploiting Vulnerable Seismic Equipment, Researchers Warn

Seismic monitoring equipment is vulnerable to common cybersecurity threats like those faced by IoT devices, a new research paper warns. Hackers could trigger ‘fake earthquakes,’ affecting emergency and economic responses to a seismic event, and generate mistrust in seismic technology among the population, the researchers say.

Seismic monitoring devices linked to the internet are vulnerable to cyberattacks that could disrupt data collection and processing, according to Michael Samios of the National Observatory of Athens and his fellow colleagues who put together a new study published in Seismological Research Letters.

Non-encrypted data, insecure protocols and poor user authentication mechanisms are among the security issues that leave seismological networks open to breaches, the authors note.

Because modern seismic stations are now implemented as an Internet-of-Things (IoT) station – and just as insecure as any other IoT device – Samios and his colleagues were able to identify threats to the equipment that infosec pros typically find in common IoT gear, from smart doorbells to security cams.

Probing the devices for weak points, the team found that “a malicious user could alter geophysical data, slow down data transmission and processing, or produce false alarms in earthquake early warning systems … causing the public to lose trust in seismic monitoring and potentially affecting emergency and economic responses to a seismic event.”

Samios believes a good first step to address the situation is to bring seismologists up to speed on cybersecurity, informing them how their equipment can be exploited by malicious actors.

“It seems that most seismologists and network operators are unaware of the vulnerabilities of their IoT devices, and the potential risk that their monitoring networks are exposed to,” said Samios. “Educating and supporting seismologists on information security is imperative, as in most cases unauthorized users will try to gain access through a legitimate user’s computer to abuse monitoring networks and IoT devices.”

The most notable security issues discovered by the team were a lack of data encryption, weak user authentication protocols and the absence of a secure initial-default configuration. They were able to conduct a successful denial-of-service (DOS) attack against the devices, rendering them unavailable throughout the attack, as well as retrieve usernames and passwords for some of the devices.

The team hacked even deeper into the seismic gear and was able to intercept seismological data transferred through the SeedLink protocol, a data transmission service used by many seismologists. In a follow-up lab experiment not included in the paper, the researchers were reportedly able to manipulate waveforms transferred by SeedLink, essentially changing the intensity of an earthquake – on paper, at least.

“It is interesting, though, that while these vulnerabilities normally appear on low-cost IoT devices priced at $50 or less, it was also confirmed that they are observed even in seismological and GNSS devices that cost many times more,” Samios said.

“This could potentially generate or conceal alarms on earthquake early warning and seismic monitoring systems, leading to disturbing situations,” the researcher warned.